News & Insights

A Step Into Healthcare’s Cloudy Future: New HIPAA Rules for CSPs

November 28, 2017

By Joseph T.D. Tran, Attorney at Law

SHARE :

Healthcare organizations have been slow to adopt new cloud computing solutions. Imprecise guidance from the Office for Civil Rights (OCR) on HIPAA regulations and increasingly common hacking or ransomware breaches may contribute to hospitals’ slow adoption of cloud computing.

“The ability to access mission critical data from any location in the world and on any mobile device is at the core of cloud computing. Instant access to patient information helps inform vital healthcare decisions and outcomes.”

Cloud computing is particularly relevant in electronic health record (EHR) systems and electronic visitor management systems (EVMS). Historically, EHR data is stored on local servers. Similarly, EVMS require installation of software on physical hardware like a kiosk. With cloud computing, the virtual replaces the physical: EHR data storage and EVMS software installation occur off-site, in the cloud, where they are simply accessed through the internet.

New HIPAA Rules

The OCR has taken the next step into healthcare’s cloud-based future. The OCR recently clarified an important aspect of patient privacy. Cloud Services Providers (CSPs) of covered entities (CEs) such as hospitals and healthcare providers are considered HIPAA Business Associates (BAs). Previously, the CSPs who offered data encryption without a decryption key argued that they did not have access to the data, and therefore were not subject to HIPAA Privacy and Security Rules. Now, the rule is clear: covered entities must enter into a Business Associate Agreement (BAA) with their cloud services provider. So, if a CSP refuses to sign a HIPAA-compliant agreement, you should find another provider.

In addition to a BAA, a covered entity should consider requesting a Service Level Agreement: a document to address areas not covered in a standard BAA. These areas may include data use, security responsibility, system availability and data recovery.

Before entering into a BAA, ask the following:

How are you HIPAA compliant? Don’t assume a CSP’s claim of HIPAA compliance. Always ask for specific examples or evidence of policies and procedures.

Who owns the data after service termination or payment dispute? Make clear that all electronic protected health information belongs to the CE at all times, especially upon termination or contract dispute. Further, HIPAA disallows a CSP from withholding services or access after a fee dispute, so you may wish to include that provision in the BAA for additional assurance.

How will you notify me of data breaches? CEs must notify affected individuals, OCR, and (in some cases) the media following a data breach. To avoid costly fines, make sure that the CSP has a list of authorized employees it can quickly notify of any breaches.

What happens when CSP service is interrupted or unavailable? Service interruption is possible, and it can adversely affect patient care. Discuss with the CSP the procedure and timeline for when access to the cloud-based data and services will be reestablished.

In addition to a BAA, a covered entity should consider requesting a Service Level Agreement: a document to address areas not covered in a standard BAA. These areas may include data use, security responsibility, system availability, data recovery and/or any other service issues specific to the CE. As such, having a Service Level Agreement can provide the additional transparency some CEs need to confidently embrace a progressive, cloud-based future.

Contact the LAMMICO Risk Management and Patient Safety Department at 504.841.5211 for more information on BAAs and Cloud Service Providers.